e1e6006649d476a243c058b0df39c29c2e464ee97fbedbdf531075cc6204b37d

General

Target

173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
Size

310KB
MD5

173d0e92303587e1f3564b59eb463c25
SHA1

e0816bebae695d3f988a4969c34fd6e06b3e9191
SHA256

e1e6006649d476a243c058b0df39c29c2e464ee97fbedbdf531075cc6204b37d
SHA512

023d95dc6ac09c7a1388f73499ae671f54566938c01a594b6a501dceec3395d925d8bc0761f3d280fb29cb1110214673fee7ccf98388a3d31a6e562a58a74c1c
SSDEEP

6144:pmQXVDBkM4le0xNQD8ntXHilVuW+gA9x4O+BUjwgN6cexETrRd:0QFhYnN1nNH21+g+x4O+Bj065ErD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3964	WINS.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\WINS.exe	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
File opened for modification	C:\Windows\WINS.exe	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
File created	C:\Windows\uninstal.bat	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WINS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WINS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WINS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WINS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WINS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
Token: SeDebugPrivilege	3964	WINS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3964	WINS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4856	3964	WINS.exe	83
PID 3964 wrote to memory of 4856	3964	WINS.exe	83
PID 3336 wrote to memory of 3956	3336	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe	84
PID 3336 wrote to memory of 3956	3336	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe	84
PID 3336 wrote to memory of 3956	3336	173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\173d0e92303587e1f3564b59eb463c25_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956

C:\Windows\WINS.exe
C:\Windows\WINS.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WINS.exe

Filesize
310KB

MD5
173d0e92303587e1f3564b59eb463c25

SHA1
e0816bebae695d3f988a4969c34fd6e06b3e9191

SHA256
e1e6006649d476a243c058b0df39c29c2e464ee97fbedbdf531075cc6204b37d

SHA512
023d95dc6ac09c7a1388f73499ae671f54566938c01a594b6a501dceec3395d925d8bc0761f3d280fb29cb1110214673fee7ccf98388a3d31a6e562a58a74c1c

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
082b364047dc8330a917799cd44b477e

SHA1
e0ef662f46391a05fe72c2be9ccfe99fd4801292

SHA256
26da2261e08d938df2488d37df5dc831c9ee1a2a31e68524e78ac15b9a229c68

SHA512
a2f3f5c4c3745deaa9e61c0059015cfdead062d1faa357eeafff3b1c492b2383a3d63ce8478e13b0e99cc10fa68c5b219d5066e5b4b19f6d1a31dc5610ed1f85

Download Submit
memory/3336-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3336-1-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3336-2-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3336-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3336-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3964-9-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3964-8-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3964-14-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3964-15-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3964-17-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3964-21-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing